Guidance but Not Direction: The FTC’s Tool for Mobile Health App Developers

The Federal Trade Commission (FTC) released an interactive tool this week meant to help mobile health app developers determine the laws and regulations that might apply to them. The guidance is good primer for developers who want to understand basic legal compliance and it’s great that the FTC recognizes that it is as important for companies to educate themselves about privacy and security standards as it is for consumers.

The fact that the tool was a collaborative effort between several key agencies – the FTC, FDA, OCR and ONC all contributed – is an important acknowledgement by the government that the collection and use of personal health data has rapidly moved beyond the ability of one agency or law to effectively regulate it. It illustrates a greater need for forward-thinking policy solutions to address gaps in protection for health data.

It illustrates a greater need for forward-thinking policy solutions to address gaps in protection for health data.

It’s not intended to be comprehensive, and so the guidance doesn’t address some laws and scenarios where personal health information comes into play. For example, the report does not mention that developers might be liable under California’s Confidentiality of Medical Information Act, which covers health and wellness apps that meet the definition for “providers of health care”.

Many health app developers will discover if they use the FTC’s interactive tool that existing laws and regulations do not cover many of their products. Apps are increasingly being deployed outside of a traditional healthcare setting, such as through employee wellness programs, where they are few rules about privacy and security. If a wellness program is outside of a workplace insurance plan, the collection and use of highly personal health information, and non-health information like behavioral indicators, is governed solely by a wellness vendor’s privacy policy.

The guidance also does little to address complex legal and ethical questions facing health app developers such as when Business Associate agreements under the Health Information Portability and Accountability Act (HIPAA) are triggered, particularly when health data is transferred through or stored on the cloud; when and how to obtain informed consent from users; and creating datasets that are representative of ethnic and socioeconomic differences.

Health data is inherently sensitive and intrinsically personal.

All of this points to a larger problem: our existing legal regime for personal health information is badly fragmented, leaving large loopholes in privacy and security protections for personal health information. Laws like HIPAA, the FTC Act, the FTC’s Health Breach Notification Rule and the Federal Food, Drug and Cosmetics Act are narrowly aimed at specific bits and pieces of the health data ecosystem that represent a more traditional health care model than the one that currently exists. There is no cohesive definition, for example, of what constitutes health information or an accurate accounting for commercial health data flows outside of the purview of laws or regulations. Though these laws are important tools, the agencies tasked with their enforcement face hurdles like jurisdictional constraints, limited resources, and weak regulatory authority.

Health data is inherently sensitive and intrinsically personal. As the collection and use of this information grows and becomes more complex, public policy’s focus should turn away from compliance and toward building a system of unified, comprehensive protection.